关闭防火墙,selinux;配置静态IP,网络中避免有其他的DHCP服务开启
DHCP-TFTP:192.168.221.128/24
Web:192.168.221.128
[root@localhost ~]# systemctl disable firewalld && systemctl stop firewalld
[root@localhost ~]# setenforce 0
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 //修改或添加如下参数
ONBOOT="yes"
BOOTPROTO="none"
IPADDR="192.168.x.y" //x为NAT模式的IP地址段第三段.(这里示例是221)、y>3(这里示例是128)
PREFIX="24"
GATEWAY="192.168.x.2"
DNS1="223.5.5.5"
重启网卡
[root@localhost ~]# systemctl disable NetworkManager
[root@localhost ~]# systemctl stop NetworkManager
[root@localhost ~]# systemctl restart network
PXE是INTEL公司开发的网络引导技术,工作在client/service模式,允许客户机从网络在远程服务器下载引导镜像,并加载安装文件或者整个操作系统
PXE(preboot execute environment,预启动执行环境)是由 Intel公司开发的技术,工作于Client/Server的网络模式,支持工作站通过网络从远端服务器下载映像,并由此支持通过网络启动操作系统,在启动过程中,终端要求DHCP服务器分配IP地址,再用 TFTP(trivial file transfer protocol)协议下载一个启动软件包到本机内存中执行,由这个启动软件包完成终端(客户端)基本软件设置,从而引导预先安装在服务器中的终端操作系统。
iPXE是PXE的扩展版,支持HTTP协议,可以通过http、ISCSI SAN、Fibre Channel SAN via FCoE AoE SAN wireless network Infiniband network等方式启动
优点:
规模化:同时装配多台服务器
自动化:安装系统,配置各种服务
远程实现:不需要光盘、U盘等安装介质
ipxe/
├── centosboot ----centos7启动引导文件
├── kickstart ----存放应答文件
├── menu ----引导启动菜单
├── pxefile ----pxe启动文件
├── pxelinux.cfg ----配置文件目录
└── tftpboot ----tftp工作目录
[root@localhost ~]# mkdir -p /data/wwwroot/ipxe/{centosboot,kickstart,menu,pxefile,tftpboot,pxelinux.cfg}
[root@localhost ~]# yum -y install gcc binutils make perl liblzma xz-devel mtools mkisofs
[root@localhost ~]# mkdir -p /soft/ipxe && cd /soft/ipxe
//本地获取(终端直接拖进去)
[root@localhost ipxe]# rz ipex.zip
//网络获取(比较慢)
[root@localhost ipxe]# git clone git://git.ipxe.org/ipxe.git
[root@localhost ipxe]# unzip ipxe.zip //先解压缩
[root@localhost ipex]# cd ./src
[root@localhost src]# cat >>bootserver.ipxe<<EOF
#!ipxe
dhcp
chain http://192.168.221.128/ipxe/boot.ipxe
EOF
注意:http://192.168.221.128/ipxe/boot.ipxe为pxe引导以后的参数文件地址
复制引导文件undionly.kpxe到tftp服务目录下,在dhcp服务器中指定tftp服务器IP与启动文件名称。用于pxe开机启动时获取到IP地址,以及tftp启动服务器的地址,启动文件名称。
[root@localhost src]# make bin/undionly.kpxe EMBED=bootserver.ipxe
[root@localhost src]# cp bin/undionly.kpxe /data/wwwroot/ipxe/tftpboot/
[root@localhost src]# ls /data/wwwroot/ipxe/tftpboot/
undionly.kpxe
[root@localhost ~]# yum install dnsmasq -y
[root@localhost ~]# cat >/etc/dnsmasq.d/pxe.conf<<EOF
bind-interfaces
dhcp-range=192.168.221.15,192.168.221.250,255.255.255.0,8h
dhcp-option=option:router,192.168.221.2
dhcp-option=option:dns-server,223.5.5.5,223.6.6.6
dhcp-boot=undionly.kpxe,server.name,192.168.221.128
enable-tftp
tftp-root=/data/wwwroot/ipxe/tftpboot/
EOF
[root@localhost ~]# systemctl enable dnsmasq && systemctl start dnsmasq
参数说明:
dhcp-range=192.168.221.15,192.168.221.250,255.255.255.0,8h
----地址分配的起为192.168.221.15,结束为192.168.221.250,掩码为255.255.255.0,租约为8小时
dhcp-option=option:router,192.168.221.2
----定义网关为192.168.221.2
dhcp-option=option:dns-server,223.5.5.5,223.6.6.6
----定义DNS 地址223.5.5.5,223.6.6.6
dhcp-boot=undionly.kpxe,server.name,192.168.221.128
----定义启动文件名与tftp服务地址IP
enable-tftp
----启用tftp
tftp-root=/data/wwwroot/ipxe/tftpboot/
----定义tftp服务目录,与上一步生的路径一致
DHCP:67,UDP;TFTP:69,UDP
[root@localhost ~]# ss -nupl | grep dnsmasq | egrep "67|69"
指定ipxe启动以后的ipxe引导文件
ipxe通过http://192.168.221.128/ipxe/boot.ipxe进行访问引导配置文件,因此需要配置web服务。
[root@localhost ~]# yum install epel-release -y
[root@localhost ~]# yum install nginx -y
[root@localhost ~]# vim /etc/nginx/nginx.conf //修改或添加如下参数
server {
listen 80;
.....
root /data/wwwroot/;
#主目录
location / {
autoindex on;
#启用目录浏览
index index.html;
}
[root@localhost ~]# systemctl start nginx && systemctl enable nginx
使用boot.ipxe中指明配置菜单default的位置,在菜单中指定启动安装进程。
[root@localhost ~]# vim /data/wwwroot/ipxe/boot.ipxe
//完整文件boot.ipxe内容如下
#!ipxe
set web-ip 192.168.221.128
:start
menu Welcome to iPXE's Boot Menu
item
item --gap -- ------------------------- Utilities ------------------------------
item centos centos7.9
item reboot Reboot
item exit Exit (boot local disk)
choose --default centos --timeout 3000 target && goto ${target}
:centos
dhcp
kernel http://${web-ip}/ipxe/centosboot/vmlinuz initrd=initrd.img ks=http://${web-ip}/ipxe/kickstart/ks79.cfg ksdevice=bootif net.ifnames=0 biosdevname=0
initrd http://${web-ip}/ipxe/centosboot/initrd.img
boot || goto failed
goto start
:reboot
reboot
:exit
exit
[root@localhost ~]# mount CentOS-7-x86_64-DVD-2009.iso /mnt/
//网络安装源
[root@localhost ~]# mkdir -p /data/wwwroot/os/centos7/
[root@localhost ~]# cp -rvf /mnt/. /data/wwwroot/os/centos7/
[root@localhost ~]# cp /mnt/isolinux/vmlinuz /data/wwwroot/ipxe/centosboot/
[root@localhost ~]# cp /mnt/isolinux/initrd.img /data/wwwroot/ipxe/centosboot/
这里复制完成后可以删除镜像文件,以免浪费空间
[root@localhost ~]# umount /mnt/
[root@localhost ~]# rm -rf CentOS-7-x86_64-DVD-2009.iso
/data/wwwroot/ipxe/kickstart/
下。url --url="http://192.168.221.128/os/centos7/"
为实际网络安装源地址,根据实际地址修改[root@localhost ~]# vim /data/wwwroot/ipxe/kickstart/ks79.cfg
//具体内容如下:
#version=DEVEL
#System authorization information
auth --enableshadow --passalgo=sha512
#Use CDROM installation media
url --url="http://192.168.221.128/os/centos7/"
#cdrom
#Use graphical install
#text
graphical
#Run the Setup Agent on first boot
firstboot --enable
ignoredisk --only-use=sda
#Keyboard layouts
keyboard --vckeymap=cn --xlayouts='cn'
#System language
lang zh_CN.UTF-8
#Network information
network --bootproto=dhcp --device=link --activate --hostname=localhost.
#Root password
rootpw "123456"
#System services
services --enabled="chronyd"
#System timezone
timezone Asia/Shanghai --isUtc
#System bootloader configuration
bootloader --append=" crashkernel=auto" --location=mbr --boot-drive=sda
#Partition clearing information
#Disk partitioning information
clearpart --all --initlabel
#autopart是自动磁盘分区,后面附上磁盘分区
autopart --type=lvm
#SELinux configuration
selinux --disabled
#Firewall configuration
firewall --disabled
#Reboot after installation
reboot
%packages
@^minimal
@core
@development tools
chrony
wget
vim
ntpdate
zlib
zlib-devel
pcre
pcre-devel
openssl-devel
%end
%post --interpreter=/bin/bash
cat >/etc/security/limits.d/20-nproc.conf<<EOF
* soft nproc 65536
* hard nproc 65536
* soft nofile 65536
* hard nofile 65536
root soft nproc unlimited
EOF
mv /etc/selinux/config{,.ori}
cat >/etc/selinux/config<<EOF
SELINUX=disabled
SELINUXTYPE=targeted
EOF
systemctl disable firewalld
%end
内存最小2G,单个磁盘,进入安装菜单选项,自动进行安装系统。
调整分辨率及背景图片
[root@localhost ~]# cd /soft/ipxe/src/
[root@localhost ~]# vim config/console.h
修改(即去掉双斜杠,表示启用)
//#define CONSOLE_FRAMEBUFFER /* Graphical framebuffer console */
为
#define CONSOLE_FRAMEBUFFER /* Graphical framebuffer console */
[root@localhost ~]# vim config/general.h:
//最终修改效果(即去掉双斜杠,表示启用):
#define IMAGE_PNG /* PNG image support */
#define CONSOLE_CMD /* Console commands */
[root@localhost ~]# make bin/undionly.kpxe EMBED=bootserver.ipxe
[root@localhost ~]# mv /data/wwwroot/ipxe/tftpboot/undionly.kpxe{,.ori}
[root@localhost ~]# cp bin/undionly.kpxe /data/wwwroot/ipxe/tftpboot/
boot.ipxe格式:
在引导菜单中设置分辨率指令(最大是1024x768)
console --x 1024 --y 768
设置背景图(PNG格式)
console --picture http://boot.ipxe.org/ipxe.png
[root@localhost ~]# vim /data/wwwroot/ipxe/boot.ipxe
//添加两行,splash.png是图片名称,该图片需要提前放入到/data/wwwroot/ipxe/menu/
#!ipxe
set web-ip 192.168.221.128
console --x 1024 --y 768
console --picture http://${web-ip}/ipxe/menu/splash.png
#autopart --type=lvm 把自动分区注释掉,添加下面自定义内容
part /boot --fstype xfs --size=1024
part swap --size=4096
part pv.01 --size=1 --grow
volgroup vg_centos pv.01
logvol / --vgname=vg_centos --fstype xfs --size=1 --grow --name=lv_root
[root@localhost ~]# vim /data/wwwroot/ipxe/kickstart/ks79.cfg //添加内容,完成配置
%post --interpreter=/bin/bash------%end
之间是Linux命令,表示安装时需要完成的指令
(10.36.133.254是学校资源下载网址)
mkdir -p /apps/
wget -O /apps/installdb.sh http://10.36.133.254/script/installdb.sh &>/dev/null
chmod o+x /apps/installdb.sh
/bin/bash /apps/installdb.sh
CURIP=$(ip -4 addr show scope global | awk 'NR==2 {print $2}' | awk -F '/' '{print $1}')
#配置静态IP
sed -i 's/BOOTPROTO="dhcp"/BOOTPROTO="none"/g' /etc/sysconfig/network-scripts/ifcfg-eth0
cat >>/etc/sysconfig/network-scripts/ifcfg-eth0<<EOF
IPADDR="${CURIP}"
PREFIX="24"
GATEWAY="192.168.221.2"
DNS1="223.5.5.5"
DNS2="223.6.6.6"
EOF
cat >>/etc/issue<<EOF
IP:${CURIP}
EOF
ssh-keygen -t rsa -P "" -f /root/.ssh/id_rsa
cat >/var/spool/cron/root<<EOF
*/5 * * * * /sbin/ntpdate ntp1.aliyun.com &>/dev/null
EOF
方法一:下载ssh主控方的公钥,形成主控方对客户端的单向信任,需要提前把主控端的公钥上传到nginx上
主控端192.168.221.128:
[root@localhost ~]# ssh-keygen -t rsa -P "" -f /root/.ssh/id_rsa
[root@localhost ~]# mkdir /data/wwwroot/pubkey/
[root@localhost ~]# cp /root/.ssh/id_rsa.pub /data/wwwroot/pubkey/192.168.221.128_pub
修改应答文件
[root@localhost ~]# vim /data/wwwroot/ipxe/kickstart/ks79.cfg
//加入以下内容:
mkdir -p /root/.ssh && chmod 700 /root/.ssh && chown root:root /root/.ssh/ 2> /dev/null
wget -O /root/.ssh/authorized_keys http://192.168.221.128/pubkey/192.168.221.128_pub 2> /dev/null
chmod 600 /root/.ssh/authorized_keys 2> /dev/null
chown root:root /root/.ssh/authorized_keys 2> /dev/null
方法二:<主控端→受控端>建立ssh信任脚本方式(方法一和方法二原理相同)
主控端192.168.221.128:
[root@localhost ~]# mkdir -p /data/wwwroot/{pubkey,script}
[root@localhost ~]# ssh-keygen -t rsa -P "" -f /root/.ssh/id_rsa
[root@localhost ~]# cp /root/.ssh/id_rsa.pub /data/wwwroot/pubkey/192.168.221.128_pubkey
[root@localhost ~]# chmod 644 /data/wwwroot/pubkey/192.168.221.128_pubkey
[root@localhost ~]# cat >/data/wwwroot/script/install_ssh_pubkey.sh<<eof
#!/bin/bash
wget -O /tmp/192.168.221.128_pubkey http://192.168.221.128/pubkey/192.168.221.128_pubkey &>/dev/null
mkdir -p /root/.ssh && chmod 700 /root/.ssh
cat /tmp/192.168.221.128_pubkey >>/root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
chown -R root:root /root/.ssh/
rm -f /tmp/192.168.221.128_pubkey
eof
[root@localhost ~]# yum install dos2unix -y
[root@localhost ~]# dos2unix /data/wwwroot/script/install_ssh_pubkey.sh
修改应答文件
[root@localhost ~]# vim /data/wwwroot/ipxe/kickstart/ks79.cfg
//加入以下内容:
#下载ssh受控端部署脚本
wget -O /root/install_ssh_pubkey.sh http://192.168.221.128/script/install_ssh_pubkey.sh &>/dev/null
#授权
chmod o+x /root/install_ssh_pubkey.sh
#执行
/bin/bash /root/install_ssh_pubkey.sh
主控端192.168.128搭建rsync同步服务器
[root@localhost ~]# yum -y install rsync
[root@localhost ~]# systemctl start rsyncd && systemctl enable rsyncd
[root@localhost ~]# vim /etc/rsyncd.conf
uid = root
gid = root
use chroot = no
read only = no
hosts allow=192.168.221.0/255.255.255.0
max connections = 5
pid file = /var/run/rsyncd.pid
secrets file = /etc/rsyncd/rsyncd.passwd
log file = /var/log/rsync.log
transfer logging = yes
log format = %t %a %m %f %b
syslog facility = local3
timeout = 300
[ipxebackup]
path = /opt/
list=yes
ignore errors=yes
auth users = backup
[root@localhost ~]# mkdir -p /etc/rsyncd/
[root@localhost ~]# echo 'backup:123456' >>/etc/rsyncd/rsyncd.passwd
[root@localhost ~]# chmod 600 /etc/rsyncd/rsyncd.passwd
[root@localhost ~]# systemctl restart rsyncd
修改应答文件
[root@localhost ~]# vim /data/wwwroot/ipxe/kickstart/ks79.cfg
//加入以下内容:
CURIP=$(ip -4 addr show scope global | awk 'NR==2 {print $2}' | awk -F '/' '{print $1}')
ssh-keygen -t rsa -P "" -f /root/.ssh/id_rsa
echo '123456' >>/rsyncd.passwd
chmod 600 /rsyncd.passwd
mkdir /backup
cp /root/.ssh/id_rsa.pub /backup/${CURIP}_pubkey
rsync -avz --progress /backup backup@192.168.221.128::ipxebackup --password-file=/rsyncd.passwd
主控端192.168.221.128:
[root@localhost ~]# mkdir -p /data/wwwroot/{script,software}
//上传nginx安装包到/data/wwwroot/software
[root@localhost ~]# vim /data/wwwroot/script/install_nginx.sh
#!/bin/bash
NGX_VERSION="1.22.1"
wget -O /tmp/nginx-${NGX_VERSION}.tar.gz http://192.168.221.128/software/nginx-${NGX_VERSION}.tar.gz 2>/dev/null
cd /tmp
tar xzf nginx-${NGX_VERSION}.tar.gz && cd nginx-${NGX_VERSION}
./configure --prefix=/usr/local/nginx &>>/root/nginx.log
make &>>/root/nginx_make.log
make install &>>/root/nginx_make_install.log
rm -rf /tmp/{nginx-${NGX_VERSION},nginx-${NGX_VERSION}.tar.gz} 2>/dev/null
修改应答文件
[root@localhost ~]# vim /data/wwwroot/ipxe/kickstart/ks79.cfg
//加入以下内容:
wget -O /root/install_nginx.sh http://192.168.221.128/script/install_nginx.sh &>/dev/null
chmod +x /root/install_nginx.sh
/bin/bash /root/install_nginx.sh
主控端192.168.221.128:
[root@localhost ~]# mkdir -p /data/wwwroot/software
//上传sshpassRPM包(sshpass-1.06-2.el7.x86_64.rpm)到该文件夹中
修改应答文件
[root@localhost ~]# vim /data/wwwroot/ipxe/kickstart/ks79.cfg
//加入以下内容:
CURIP=$(ip -4 addr show scope global | awk 'NR==2 {print $2}' | awk -F '/' '{print $1}')
cat >>/etc/issue<<EOF
IP:${CURIP}
EOF
ssh-keygen -t rsa -P "" -f /root/.ssh/id_rsa
#下载安装sshpass组件
rpm -ivh http://192.168.221.128/software/sshpass-1.06-2.el7.x86_64.rpm &>/root/sshpass.log
#远程创建文件夹
sshpass -p '1' ssh -o "stricthostkeychecking=no" root@192.168.221.128 "mkdir -p /opt/{scp_bak,rsync_bak}/${CURIP}/"
#scp备份
sshpass -p '1' scp /root/.ssh/id_rsa root@192.168.221.128:/opt/scp_bak/${CURIP}/ &>/root/scp.log
sshpass -p '1' scp /root/.ssh/id_rsa.pub root@192.168.221.128:/opt/scp_bak/${CURIP}/ &>/root/scp.log
#rsync同步
sshpass -p '1' rsync -avz -e "ssh -o stricthostkeychecking=no" /root/.ssh/id_rsa root@192.168.221.128:/opt/rsync_bak/${CURIP}/ &>/root/rsync.log
sshpass -p '1' rsync -avz -e "ssh -o stricthostkeychecking=no" /root/.ssh/id_rsa.pub root@192.168.221.128:/opt/rsync_bak/${CURIP}/ &>/root/rsync.log